8f6b576b70082b7caf64b27ce6a398daee85a10f0e7ee0ea028e8d7d7cf7852e

Analysis

max time kernel
141s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2024 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

192.168.1.225_80_http_IsSetup_Agent (6).exe
Size

6.6MB
MD5

e955db4c2f0f23c838b2fed4941dd85a
SHA1

a9ef9edee588aa33a62051e658fea07a86d997fe
SHA256

8f6b576b70082b7caf64b27ce6a398daee85a10f0e7ee0ea028e8d7d7cf7852e
SHA512

c7c3ddc067185337722709b78c05dd3346ba19bcb3893e2b573f300db3a82883416af1e2fef256f54c7a131de9c7f2d84c0f4f375daf2376cac0c04fd1508859
SSDEEP

196608:ejpQfSmtq6qQ6lwgLPTmYNPbivefgKLaDT1:/RtqrQ6lX5NPCehq1

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\	IsaHelp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes	IsaHelp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\IsaHelp.exe = "0"	IsaHelp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\svchost.exe = "0"	IsaHelp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\	IsaHelp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\IsaHelp.exe = "0"	IsaHelp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\svchost.exe = "0"	IsaHelp.exe

Sets DLL path for service in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ias\Parameters\ServiceDll = "C:\\Windows\\SysWOW64\\IsAgent\\IsaSvc.dll"	192.168.1.225_80_http_IsSetup_Agent (6).exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ias\Parameters\ServiceDll = "c:\\windows\\System32\\isagent\\IsaSvc.dll"	svchost.exe

Windows security modification 2 TTPs 16 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions	IsaHelp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes\	IsaHelp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes\IsaHelp.exe = "0"	IsaHelp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes\svchost.exe = "0"	IsaHelp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\svchost.exe = "0"	IsaHelp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes\svchost.exe = "0"	IsaHelp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\IsaHelp.exe = "0"	IsaHelp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes	IsaHelp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes\	IsaHelp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes\IsaHelp.exe = "0"	IsaHelp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\svchost.exe = "0"	IsaHelp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\	IsaHelp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes	IsaHelp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\IsaHelp.exe = "0"	IsaHelp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\	IsaHelp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	IsaHelp.exe

Modifies Windows Firewall 2 TTPs 26 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2472	netsh.exe
724	netsh.exe
2332	netsh.exe
2976	netsh.exe
3388	netsh.exe
1684	netsh.exe
4732	netsh.exe
3624	netsh.exe
2608	netsh.exe
1704	netsh.exe
2804	netsh.exe
4164	netsh.exe
1564	netsh.exe
4148	netsh.exe
1200	netsh.exe
1440	netsh.exe
4772	netsh.exe
4896	netsh.exe
3308	netsh.exe
3884	netsh.exe
1728	netsh.exe
2312	netsh.exe
3576	netsh.exe
5104	netsh.exe
2652	netsh.exe
2700	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	192.168.1.225_80_http_IsSetup_Agent (6).exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	192.168.1.225_80_http_IsSetup_Agent (6).exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\IsAgent\zh.langue	192.168.1.225_80_http_IsSetup_Agent (6).exe
File opened for modification	\??\c:\windows\SysWOW64\isagent\skin\敒瑳牡⹴浸l	IsaHelp.exe
File opened for modification	\??\c:\windows\SysWOW64\isagent\skin\潔汯楔啰⹉浸l	IsaHelp.exe
File opened for modification	\??\c:\windows\SysWOW64\isagent\skin\浩⽧档捥彫敲畳瑬湟牯慭⹬湰g锰璦빛뉵毤璦񆂥묠璨	IsaHelp.exe
File opened for modification	\??\c:\windows\SysWOW64\isagent\skin\img\hscrollbar.png	IsaHelp.exe
File opened for modification	\??\c:\windows\SysWOW64\isagent\skin\浩⽧摳瀮杮	IsaHelp.exe
File opened for modification	\??\c:\windows\SysWOW64\isagent\skin\img\tool.png	IsaHelp.exe
File opened for modification	\??\c:\windows\SysWOW64\isagent\skin\img\shadow.png	IsaHelp.exe
File opened for modification	\??\c:\windows\SysWOW64\isagent\skin\Uninstall.xml	IsaHelp.exe
File created	C:\Windows\SysWOW64\IsAgent\IsaHelp.exe	192.168.1.225_80_http_IsSetup_Agent (6).exe
File created	C:\Windows\system32\IsaRemove.lnk	192.168.1.225_80_http_IsSetup_Agent (6).exe
File created	\??\c:\windows\SysWOW64\isagent\skin\AuthAndCheck.xml	IsaHelp.exe
File opened for modification	\??\c:\windows\SysWOW64\isagent\skin\浩⽧楷楦敟慮汢⹥湰g𨲥ﮀɪ锰璦빛뉵毤璦񆂥묠璨	IsaHelp.exe
File opened for modification	\??\c:\windows\SysWOW64\isagent\skin\img\scrollbar.bmp	IsaHelp.exe
File opened for modification	\??\c:\windows\SysWOW64\isagent\skin\DeviceListItemContainer.xml	IsaHelp.exe
File opened for modification	C:\Windows\SysWOW64\IsAgent\UAM_UAS.dll	192.168.1.225_80_http_IsSetup_Agent (6).exe
File opened for modification	\??\c:\windows\SysWOW64\isagent\skin\img\clock.png	IsaHelp.exe
File opened for modification	\??\c:\windows\SysWOW64\isagent\skin\img\computer.png	IsaHelp.exe
File opened for modification	\??\c:\windows\SysWOW64\isagent\skin\獭执硯砮汭	IsaHelp.exe
File opened for modification	\??\c:\windows\SysWOW64\isagent\skin\浩⽧敲牦獥全⹒湰gˇ𨵒ˇ锰畓圓ꪒ毤畓񆅒묠畕	IsaHelp.exe
File opened for modification	\??\c:\windows\SysWOW64\isagent\skin\浩⽧敲牦獥彨牱瀮杮Ȁ𨵒ˇ锰畓圓ꪒ毤畓񆅒묠畕	IsaHelp.exe
File opened for modification	C:\Windows\SysWOW64\IsAgent\config.xml	192.168.1.225_80_http_IsSetup_Agent (6).exe
File opened for modification	C:\Windows\SysWOW64\IsaAgent.bin	svchost.exe
File opened for modification	\??\c:\windows\SysWOW64\isagent\skin\浩⽧瑢彮業⹮湰g򡉪𨲥ﮀɪ锰璦빛뉵毤璦񆂥묠璨	IsaHelp.exe
File created	\??\c:\windows\SysWOW64\isagent\skin\img\loading.gif	IsaHelp.exe
File created	\??\c:\windows\SysWOW64\isagent\skin\img\visitor_code_hot.png	IsaHelp.exe
File opened for modification	C:\Windows\SysWOW64\IsAgent\OfflineData.dat	IsaHelp.exe
File created	\??\c:\windows\SysWOW64\isagent\skin\img\btn_blue_round_rect.png	IsaHelp.exe
File created	\??\c:\windows\SysWOW64\isagent\skin\Restart.xml	IsaHelp.exe
File created	C:\Windows\SysWOW64\IsAgent\AsmAuthClient.dll	192.168.1.225_80_http_IsSetup_Agent (6).exe
File created	\??\c:\windows\SysWOW64\isagent\skin\img\apply_remote_normal.png	IsaHelp.exe
File opened for modification	\??\c:\windows\SysWOW64\isagent\skin\浩⽧档捥扫硯畟⹮湰g𨲥ﮀɪ锰璦빛뉵毤璦񆂥묠璨	IsaHelp.exe
File created	\??\c:\windows\SysWOW64\isagent\skin\img\sd.png	IsaHelp.exe
File opened for modification	C:\Windows\SysWOW64\IsAgent\AboutDlg.exe	192.168.1.225_80_http_IsSetup_Agent (6).exe
File created	C:\Windows\SysWOW64\IsAgent\fault.png	192.168.1.225_80_http_IsSetup_Agent (6).exe
File opened for modification	C:\Windows\SysWOW64\IsAgent\Internal_Config.xml	192.168.1.225_80_http_IsSetup_Agent (6).exe
File opened for modification	\??\c:\windows\SysWOW64\isagent\skin\img\btn_close_highlight.png	IsaHelp.exe
File opened for modification	C:\Windows\SysWOW64\IsAgent\IsaTrayMenu.dll	192.168.1.225_80_http_IsSetup_Agent (6).exe
File created	\??\c:\windows\SysWOW64\isagent\skin\img\root_department.png	IsaHelp.exe
File opened for modification	\??\c:\windows\SysWOW64\isagent\skin\浩⽧瑢彮汣獯彥潮浲污瀮杮ˇ锰畓圓ꪒ毤畓񆅒묠畕	IsaHelp.exe
File opened for modification	\??\c:\windows\SysWOW64\isagent\skin\img\default_menu_hot.png	IsaHelp.exe
File opened for modification	\??\c:\windows\SysWOW64\isagent\skin\浩⽧慦獬⹥湰g	IsaHelp.exe
File opened for modification	\??\c:\windows\SysWOW64\isagent\skin\浩⽧畡桴损敨正摟獩扡敬瀮杮Ȁ锰璦빛뉵毤璦񆂥묠璨	IsaHelp.exe
File created	\??\c:\windows\SysWOW64\isagent\skin\img\check_result_normal.png	IsaHelp.exe
File opened for modification	\??\c:\windows\SysWOW64\isagent\skin\浩⽧敤慦汵⹴湰g򡉪𨲥ﮀɪ锰璦빛뉵毤璦񆂥묠璨	IsaHelp.exe
File opened for modification	\??\c:\windows\SysWOW64\isagent\skin\浩⽧敨灬瀮杮	IsaHelp.exe
File opened for modification	C:\Windows\SysWOW64\IsAgent\IPSec.dll	192.168.1.225_80_http_IsSetup_Agent (6).exe
File opened for modification	\??\c:\windows\SysWOW64\isagent\skin\浩⽧湡污穹彥潴汯桟瑯瀮杮ﬀɪ锰璦빛뉵毤璦񆂥묠璨	IsaHelp.exe
File created	\??\c:\windows\SysWOW64\isagent\skin\img\btn_close_down.png	IsaHelp.exe
File opened for modification	\??\c:\windows\SysWOW64\isagent\skin\img\refresh.png	IsaHelp.exe
File opened for modification	\??\c:\windows\SysWOW64\isagent\skin\浩⽧湩潦潧瀮杮	IsaHelp.exe
File created	C:\Windows\SysWOW64\IsAgent\libssl-1_1.dll	192.168.1.225_80_http_IsSetup_Agent (6).exe
File created	\??\c:\windows\SysWOW64\isagent\skin\img\auth_check_disable.png	IsaHelp.exe
File created	\??\c:\windows\SysWOW64\isagent\skin\img\device_info_hot.png	IsaHelp.exe
File opened for modification	\??\c:\windows\SysWOW64\isagent\skin\牐浯瑰䥕砮汭	IsaHelp.exe
File opened for modification	\??\c:\windows\SysWOW64\isagent\skin\浩⽧湡污穹彥潴汯湟牯慭⹬湰g锰畓圓ꪒ毤畓񆅒묠畕	IsaHelp.exe
File opened for modification	C:\Windows\SysWOW64\IsAgent\LcfUpdateDot1xModule.dll	192.168.1.225_80_http_IsSetup_Agent (6).exe
File opened for modification	\??\c:\windows\SysWOW64\isagent\skin\浩⽧獶牣汯扬牡瀮杮Ȁ𨲥ﮀɪ锰璦빛뉵毤璦񆂥묠璨	IsaHelp.exe
File opened for modification	\??\c:\windows\SysWOW64\isagent\skin\浩⽧畡桴损敨正摟獩扡敬瀮杮Ȁ锰畓圓ꪒ毤畓񆅒묠畕	IsaHelp.exe
File opened for modification	\??\c:\windows\SysWOW64\isagent\skin\浩⽧瑢彮汢敵牟畯摮牟捥⹴湰g锰畓圓ꪒ毤畓񆅒묠畕	IsaHelp.exe
File opened for modification	\??\c:\windows\SysWOW64\isagent\skin\img\btn_pc.png	IsaHelp.exe
File opened for modification	\??\c:\windows\SysWOW64\isagent\skin\浩⽧瑢彮潬楧彮異桳瀮杮琀ﮀɪ锰璦빛뉵毤璦񆂥묠璨	IsaHelp.exe
File created	\??\c:\windows\SysWOW64\isagent\skin\img\btn_qr_code_hot.png	IsaHelp.exe
File created	\??\c:\windows\SysWOW64\isagent\skin\img\guest.png	IsaHelp.exe

Executes dropped EXE 5 IoCs

pid	Process
3532	IsaHelp.exe
4960	IsaSvcProtectServer.exe
1936	IsaHelp.exe
996	IsaHelp.exe
5012	IsaHelp.exe

Loads dropped DLL 60 IoCs

pid	Process
3736	192.168.1.225_80_http_IsSetup_Agent (6).exe
3736	192.168.1.225_80_http_IsSetup_Agent (6).exe
3736	192.168.1.225_80_http_IsSetup_Agent (6).exe
3736	192.168.1.225_80_http_IsSetup_Agent (6).exe
3736	192.168.1.225_80_http_IsSetup_Agent (6).exe
3736	192.168.1.225_80_http_IsSetup_Agent (6).exe
3736	192.168.1.225_80_http_IsSetup_Agent (6).exe
3736	192.168.1.225_80_http_IsSetup_Agent (6).exe
456	svchost.exe
456	svchost.exe
456	svchost.exe
456	svchost.exe
3532	IsaHelp.exe
3532	IsaHelp.exe
3532	IsaHelp.exe
3532	IsaHelp.exe
4960	IsaSvcProtectServer.exe
1936	IsaHelp.exe
1936	IsaHelp.exe
1936	IsaHelp.exe
1936	IsaHelp.exe
456	svchost.exe
3532	IsaHelp.exe
3532	IsaHelp.exe
1936	IsaHelp.exe
1936	IsaHelp.exe
3532	IsaHelp.exe
3532	IsaHelp.exe
1936	IsaHelp.exe
1936	IsaHelp.exe
1936	IsaHelp.exe
996	IsaHelp.exe
996	IsaHelp.exe
996	IsaHelp.exe
996	IsaHelp.exe
996	IsaHelp.exe
996	IsaHelp.exe
996	IsaHelp.exe
996	IsaHelp.exe
996	IsaHelp.exe
5012	IsaHelp.exe
5012	IsaHelp.exe
5012	IsaHelp.exe
5012	IsaHelp.exe
5012	IsaHelp.exe
5012	IsaHelp.exe
5012	IsaHelp.exe
5012	IsaHelp.exe
996	IsaHelp.exe
996	IsaHelp.exe
5012	IsaHelp.exe
5012	IsaHelp.exe
996	IsaHelp.exe
996	IsaHelp.exe
5012	IsaHelp.exe
5012	IsaHelp.exe
996	IsaHelp.exe
996	IsaHelp.exe
5012	IsaHelp.exe
5012	IsaHelp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
1328	taskkill.exe
1728	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	IsaHelp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\AsmHtmlDlg.exe = "11000"	IsaHelp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	IsaHelp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\AsmHtmlDlg.exe = "11000"	IsaHelp.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
456	svchost.exe
456	svchost.exe
456	svchost.exe
456	svchost.exe
456	svchost.exe
456	svchost.exe
456	svchost.exe
456	svchost.exe
4204	powershell.exe
4204	powershell.exe
4204	powershell.exe
1684	powershell.exe
1684	powershell.exe
1684	powershell.exe
456	svchost.exe
456	svchost.exe
456	svchost.exe
456	svchost.exe
456	svchost.exe
456	svchost.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	taskkill.exe
Token: SeDebugPrivilege	456	svchost.exe
Token: SeTcbPrivilege	456	svchost.exe
Token: SeDebugPrivilege	456	svchost.exe
Token: SeCreateTokenPrivilege	456	svchost.exe
Token: SeDebugPrivilege	4204	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	456	svchost.exe
Token: SeDebugPrivilege	1328	taskkill.exe
Token: SeDebugPrivilege	456	svchost.exe
Token: SeTcbPrivilege	456	svchost.exe
Token: SeDebugPrivilege	456	svchost.exe
Token: SeCreateTokenPrivilege	456	svchost.exe
Token: SeDebugPrivilege	456	svchost.exe
Token: SeDebugPrivilege	456	svchost.exe
Token: SeDebugPrivilege	456	svchost.exe
Token: SeDebugPrivilege	456	svchost.exe
Token: SeDebugPrivilege	456	svchost.exe
Token: SeDebugPrivilege	456	svchost.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1936	IsaHelp.exe
996	IsaHelp.exe
996	IsaHelp.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1936	IsaHelp.exe
996	IsaHelp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3736 wrote to memory of 4536	3736	192.168.1.225_80_http_IsSetup_Agent (6).exe	99
PID 3736 wrote to memory of 4536	3736	192.168.1.225_80_http_IsSetup_Agent (6).exe	99
PID 3736 wrote to memory of 4536	3736	192.168.1.225_80_http_IsSetup_Agent (6).exe	99
PID 4536 wrote to memory of 5052	4536	cmd.exe	103
PID 4536 wrote to memory of 5052	4536	cmd.exe	103
PID 4536 wrote to memory of 5052	4536	cmd.exe	103
PID 456 wrote to memory of 3532	456	svchost.exe	102
PID 456 wrote to memory of 3532	456	svchost.exe	102
PID 456 wrote to memory of 3532	456	svchost.exe	102
PID 5052 wrote to memory of 1728	5052	cmd.exe	105
PID 5052 wrote to memory of 1728	5052	cmd.exe	105
PID 5052 wrote to memory of 1728	5052	cmd.exe	105
PID 456 wrote to memory of 1936	456	svchost.exe	106
PID 456 wrote to memory of 1936	456	svchost.exe	106
PID 456 wrote to memory of 1936	456	svchost.exe	106
PID 5052 wrote to memory of 1684	5052	cmd.exe	107
PID 5052 wrote to memory of 1684	5052	cmd.exe	107
PID 5052 wrote to memory of 1684	5052	cmd.exe	107
PID 3736 wrote to memory of 3692	3736	192.168.1.225_80_http_IsSetup_Agent (6).exe	108
PID 3736 wrote to memory of 3692	3736	192.168.1.225_80_http_IsSetup_Agent (6).exe	108
PID 3736 wrote to memory of 3692	3736	192.168.1.225_80_http_IsSetup_Agent (6).exe	108
PID 5052 wrote to memory of 2608	5052	cmd.exe	111
PID 5052 wrote to memory of 2608	5052	cmd.exe	111
PID 5052 wrote to memory of 2608	5052	cmd.exe	111
PID 5052 wrote to memory of 1440	5052	cmd.exe	112
PID 5052 wrote to memory of 1440	5052	cmd.exe	112
PID 5052 wrote to memory of 1440	5052	cmd.exe	112
PID 5052 wrote to memory of 2472	5052	cmd.exe	113
PID 5052 wrote to memory of 2472	5052	cmd.exe	113
PID 5052 wrote to memory of 2472	5052	cmd.exe	113
PID 5052 wrote to memory of 2700	5052	cmd.exe	114
PID 5052 wrote to memory of 2700	5052	cmd.exe	114
PID 5052 wrote to memory of 2700	5052	cmd.exe	114
PID 5052 wrote to memory of 1564	5052	cmd.exe	115
PID 5052 wrote to memory of 1564	5052	cmd.exe	115
PID 5052 wrote to memory of 1564	5052	cmd.exe	115
PID 5052 wrote to memory of 4732	5052	cmd.exe	116
PID 5052 wrote to memory of 4732	5052	cmd.exe	116
PID 5052 wrote to memory of 4732	5052	cmd.exe	116
PID 5052 wrote to memory of 5104	5052	cmd.exe	117
PID 5052 wrote to memory of 5104	5052	cmd.exe	117
PID 5052 wrote to memory of 5104	5052	cmd.exe	117
PID 5052 wrote to memory of 1728	5052	cmd.exe	118
PID 5052 wrote to memory of 1728	5052	cmd.exe	118
PID 5052 wrote to memory of 1728	5052	cmd.exe	118
PID 5052 wrote to memory of 1704	5052	cmd.exe	119
PID 5052 wrote to memory of 1704	5052	cmd.exe	119
PID 5052 wrote to memory of 1704	5052	cmd.exe	119
PID 5052 wrote to memory of 2652	5052	cmd.exe	122
PID 5052 wrote to memory of 2652	5052	cmd.exe	122
PID 5052 wrote to memory of 2652	5052	cmd.exe	122
PID 5052 wrote to memory of 2804	5052	cmd.exe	123
PID 5052 wrote to memory of 2804	5052	cmd.exe	123
PID 5052 wrote to memory of 2804	5052	cmd.exe	123
PID 5052 wrote to memory of 4772	5052	cmd.exe	124
PID 5052 wrote to memory of 4772	5052	cmd.exe	124
PID 5052 wrote to memory of 4772	5052	cmd.exe	124
PID 5052 wrote to memory of 724	5052	cmd.exe	125
PID 5052 wrote to memory of 724	5052	cmd.exe	125
PID 5052 wrote to memory of 724	5052	cmd.exe	125
PID 5052 wrote to memory of 2332	5052	cmd.exe	126
PID 5052 wrote to memory of 2332	5052	cmd.exe	126
PID 5052 wrote to memory of 2332	5052	cmd.exe	126
PID 5052 wrote to memory of 2312	5052	cmd.exe	127

C:\Users\Admin\AppData\Local\Temp\192.168.1.225_80_http_IsSetup_Agent (6).exe
"C:\Users\Admin\AppData\Local\Temp\192.168.1.225_80_http_IsSetup_Agent (6).exe"
1⤵
- Sets DLL path for service in the registry
- Checks computer location settings
- Drops file in System32 directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3736
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd.exe < C:\Windows\SysWOW64\IsAgent\\Setup.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5052
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im AsmAssistant.exe /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1728
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="ASM 6000 Ass" dir=out program="c:\windows\syswow64\isagent\isahelp.exe" action=allow
      4⤵
      Modifies Windows Firewall
      PID:1684
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="ASM 6000 Ass" dir=in program="c:\windows\syswow64\isagent\isahelp.exe" action=allow
      4⤵
      Modifies Windows Firewall
      PID:2608
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="ASM 6000 Ass" dir=out program="c:\windows\system32\isagent\isahelp.exe" action=allow
      4⤵
      Modifies Windows Firewall
      PID:1440
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="ASM 6000 Ass" dir=in program="c:\windows\system32\isagent\isahelp.exe" action=allow
      4⤵
      Modifies Windows Firewall
      PID:2472
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram c:\windows\system32\isagent\isahelp.exe "ASM 6000 Ass" enable
      4⤵
      Modifies Windows Firewall
      PID:2700
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram c:\windows\syswow64\isagent\isahelp.exe "ASM 6000 Ass" enable
      4⤵
      Modifies Windows Firewall
      PID:1564
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="ASM 6000 Ass Server" protocol=TCP dir=out localport=36600 action=allow
      4⤵
      Modifies Windows Firewall
      PID:4732
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="ASM 6000 Ass Server" protocol=TCP dir=in localport=36600 action=allow
      4⤵
      Modifies Windows Firewall
      PID:5104
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AsmPatchAutoRepair" dir=out program="c:\windows\syswow64\isagent\AsmPatchAutoRepair.exe" action=allow
      4⤵
      Modifies Windows Firewall
      PID:1728
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AsmPatchAutoRepair" dir=in program="c:\windows\syswow64\isagent\AsmPatchAutoRepair.exe" action=allow
      4⤵
      Modifies Windows Firewall
      PID:1704
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AsmPatchAutoRepair" dir=out program="c:\windows\system32\isagent\AsmPatchAutoRepair.exe" action=allow
      4⤵
      Modifies Windows Firewall
      PID:2652
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="AsmPatchAutoRepair" dir=in program="c:\windows\system32\isagent\AsmPatchAutoRepair.exe" action=allow
      4⤵
      Modifies Windows Firewall
      PID:2804
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram c:\windows\system32\isagent\AsmPatchAutoRepair.exe "AsmPatchAutoRepair" enable
      4⤵
      Modifies Windows Firewall
      PID:4772
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram c:\windows\syswow64\isagent\AsmPatchAutoRepair.exe "AsmPatchAutoRepair" enable
      4⤵
      Modifies Windows Firewall
      PID:724
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="LcfP2PSeedTask" dir=out program="c:\windows\syswow64\isagent\LcfP2PSeedTask.exe" action=allow
      4⤵
      Modifies Windows Firewall
      PID:2332
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="LcfP2PSeedTask" dir=in program="c:\windows\syswow64\isagent\LcfP2PSeedTask.exe" action=allow
      4⤵
      Modifies Windows Firewall
      PID:2312
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="LcfP2PSeedTask" dir=out program="c:\windows\system32\isagent\LcfP2PSeedTask.exe" action=allow
      4⤵
      Modifies Windows Firewall
      PID:4164
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="LcfP2PSeedTask" dir=in program="c:\windows\system32\isagent\LcfP2PSeedTask.exe" action=allow
      4⤵
      Modifies Windows Firewall
      PID:4896
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram c:\windows\system32\isagent\LcfP2PSeedTask.exe "LcfP2PSeedTask" enable
      4⤵
      Modifies Windows Firewall
      PID:3624
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram c:\windows\syswow64\isagent\LcfP2PSeedTask.exe "LcfP2PSeedTask" enable
      4⤵
      Modifies Windows Firewall
      PID:3576
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="NATCheck" dir=out program="c:\windows\syswow64\isagent\NATCheck.exe" action=allow
      4⤵
      Modifies Windows Firewall
      PID:3308
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="NATCheck" dir=in program="c:\windows\syswow64\isagent\NATCheck.exe" action=allow
      4⤵
      Modifies Windows Firewall
      PID:3884
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="NATCheck" dir=out program="c:\windows\system32\isagent\NATCheck.exe" action=allow
      4⤵
      Modifies Windows Firewall
      PID:4148
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="NATCheck" dir=in program="c:\windows\system32\isagent\NATCheck.exe" action=allow
      4⤵
      Modifies Windows Firewall
      PID:2976
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram c:\windows\system32\isagent\NATCheck.exe "NATCheck" enable
      4⤵
      Modifies Windows Firewall
      PID:1200
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram c:\windows\syswow64\isagent\NATCheck.exe "NATCheck" enable
      4⤵
      Modifies Windows Firewall
      PID:3388
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K AddExcept.bat
      4⤵
      PID:4680
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ver "
        5⤵
        
        PID:3320
    - - C:\Windows\SysWOW64\find.exe
        
        find "6.3."
        5⤵
        
        PID:2652
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ver "
        5⤵
        
        PID:4476
    - - C:\Windows\SysWOW64\find.exe
        
        find "10."
        5⤵
        
        PID:4432
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c dir /a-d/b/s C:\Windows\system32\WindowsPowerShell\powershell.exe
        5⤵
        
        PID:3248
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -Command Add-MpPreference -ExclusionProcess "IsaHelp.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4204
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -Command Add-MpPreference -ExclusionProcess "svchost.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
    - - C:\Windows\SysWOW64\CheckNetIsolation.exe
        
        CheckNetIsolation LoopbackExempt -a -n=Microsoft.MicrosoftEdge_8wekyb3d8bbwe
        5⤵
        
        PID:2172
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c Ewfmgr C: -commit
  2⤵
  PID:3692

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:456
- \??\c:\windows\SysWOW64\isagent\IsaHelp.exe
  c:\windows\System32\isagent\IsaHelp.exe
  2⤵
  - Windows security bypass
  - Windows security modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  PID:3532
- \??\c:\windows\SysWOW64\isagent\IsaHelp.exe
  c:\windows\System32\isagent\IsaHelp.exe
  2⤵
  - Drops file in System32 directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1936
- \??\c:\windows\SysWOW64\isagent\IsaHelp.exe
  c:\windows\System32\isagent\IsaHelp.exe
  2⤵
  - Drops file in System32 directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:996
- \??\c:\windows\SysWOW64\isagent\IsaHelp.exe
  c:\windows\System32\isagent\IsaHelp.exe
  2⤵
  - Windows security bypass
  - Windows security modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  PID:5012

C:\Windows\SysWOW64\IsAgent\IsaSvcProtectServer.exe
C:\Windows\SysWOW64\IsAgent\IsaSvcProtectServer.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4960

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\192.168.1.225_80_http_IsSetup_Agent (6).exe
"C:\Users\Admin\AppData\Local\Temp\192.168.1.225_80_http_IsSetup_Agent (6).exe"
1⤵
- Checks computer location settings
PID:1648
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /im IsaHelp* /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1328

C:\Users\Admin\AppData\Local\Temp\192.168.1.225_80_http_IsSetup_Agent (6).exe
"C:\Users\Admin\AppData\Local\Temp\192.168.1.225_80_http_IsSetup_Agent (6).exe"
1⤵
PID:1260

C:\Users\Admin\AppData\Local\Temp\192.168.1.225_80_http_IsSetup_Agent (6).exe
"C:\Users\Admin\AppData\Local\Temp\192.168.1.225_80_http_IsSetup_Agent (6).exe"
1⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\192.168.1.225_80_http_IsSetup_Agent (6).exe
"C:\Users\Admin\AppData\Local\Temp\192.168.1.225_80_http_IsSetup_Agent (6).exe"
1⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\192.168.1.225_80_http_IsSetup_Agent (6).exe
"C:\Users\Admin\AppData\Local\Temp\192.168.1.225_80_http_IsSetup_Agent (6).exe"
1⤵
PID:2464

C:\Users\Admin\AppData\Local\Temp\192.168.1.225_80_http_IsSetup_Agent (6).exe
"C:\Users\Admin\AppData\Local\Temp\192.168.1.225_80_http_IsSetup_Agent (6).exe"
1⤵
PID:2160

C:\Users\Admin\AppData\Local\Temp\192.168.1.225_80_http_IsSetup_Agent (6).exe
"C:\Users\Admin\AppData\Local\Temp\192.168.1.225_80_http_IsSetup_Agent (6).exe"
1⤵
PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IsaAgent.bin

Filesize
1KB

MD5
deeb5b56706cea7401085d0d173caa9a

SHA1
10003df2b3b57b9915762491119bb16cd4fc178c

SHA256
54b77ce2ded4395c119be0fd8a04635d80218ba99432721fbefb370a19e01274

SHA512
e19738d500dc6071f5773cc22cdf4624442f3400d96ac7f148b91f80819e84734a8fdfae47b5494703f8d44bd8c06429322f39b7e7e83191923bd3f9889b47c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsaAgent.bin

Filesize
2KB

MD5
375572d0aeae35be36459846bb292487

SHA1
2d58f63006d308d98488fb880ffbfb74f4999f53

SHA256
3dffec28bd08a8c0d687be42952b23b72c1c55ef5f37c81391f917998a8680fb

SHA512
e295adbd726b3352da915046f1f33d4fa96c9675a638349e96586289c586cec706aced958789e94a69c87362518120de9416f4a188956f821777d6c7c4f37097

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_txswezkb.ll3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
665KB

MD5
59e1d88f5a2b41095cbbcb2a0983f1a6

SHA1
815d0bd590d34f0ba186a08006d3354f2a2af750

SHA256
8c35cb89a294fdb648381363616c39f3713a9af95fe414da7ecf325aba8e72d1

SHA512
0d47f78d456eacc7a8082f9b85a9714d8caf9a6986c84a1a7cead37fdef585e8b373a23cfd311221cdfe9cd54dbd4ccc39cc7308d04e49e8105272fb9f5a4e71

Download Submit
C:\Windows\SysWOW64\IsAgent\AddExcept.bat

Filesize
1KB

MD5
1aaee55b7ec1e698ccee9e899cb3b2f5

SHA1
284996ca3bd288c61a79435714a6730aae8efdb9

SHA256
72a1a319aaa3bd95cd8101de62ea67e8e155461bcefc1183b12e8cbc635cb2e9

SHA512
0dbf6cb677b53fff8b7f4ce9e382cbe80de1a794fabcd992f206be7be1347a4da407642c9bdeca9d9eedf6abb58569b9794281c8ab617772046d272c5859a13e

Download Submit
C:\Windows\SysWOW64\IsAgent\AsmAuthClient.dll

Filesize
1.2MB

MD5
55ddca27c8910a70c282365579aa96c8

SHA1
c50f137a29546657ef959f1597853bb521c1350c

SHA256
2f215bbaceb25763d29555a47bd466f801ccde03cb028d64888d6f9e65520647

SHA512
fad1619983df7d4ec5c3acb4699ce39da7835d77d7b49afdd1f40ba8967a60990ce1a6d9e38af587c2c3b63e45ede45a56fc694d748ea5d782e079f471109103

Download Submit
C:\Windows\SysWOW64\IsAgent\AsmFunctionMgr.dll

Filesize
135KB

MD5
33ec759a0ca7e7f4769449ee2c7549b6

SHA1
efceffa2cada4c73e4a30b9911f3393d41e57017

SHA256
c04884031112a1b78061a34d143215ed8cb7fbd5364152fad1d44d231670defc

SHA512
ab978d564be6646178adde65bda96947d617b30bbd504d18d8f641c0d123c33ca6bcf402c5a3cfa5f234a92ad9c03ad7b4726b8ae2cfcd8951c90e4b683d5eae

Download Submit
C:\Windows\SysWOW64\IsAgent\DuiLib.dll

Filesize
1.3MB

MD5
55b09b484d471f09fae1b8b238736f36

SHA1
cb9886e1b8c8bf6cba227e57081e693044584eef

SHA256
ec79bd449332ffb1085b34741287d6fb383941692116c6d1f0ba3c2460db1011

SHA512
38b6d6368da6d55503fce65b61fa4843be7d9a0450b57f9808d56b225742aa5cbcf7593c5d7b794b4d8acfe05dc51ad74f0dd871d6dd1b93ebb23f2a2c308705

Download Submit
C:\Windows\SysWOW64\IsAgent\Internal_Config.xml

Filesize
464B

MD5
628a32e148175849b8bed154229b9a4d

SHA1
afc6776f51ad6e0d2355ccd74d1596e7628a9053

SHA256
90fda9d9bf7e5d8a795d85539a6a98036aaebcc9801e7de33edb6f5671e13886

SHA512
6d3a4a01fc9f94f0d3bbc237fda967abed95cee2cd224e92189c62b5138064c32185599ea4bb13e3022f1fa7b005aa3050de235b910825d13d13a16132c52cbe

Download Submit
C:\Windows\SysWOW64\IsAgent\IsaAgent.bin

Filesize
4KB

MD5
c68ed6bb54df102ea2f64bf1c640b865

SHA1
e63723060e95b7d05f5f446c46b4e8f95b413d86

SHA256
1f3c24b86793685d77634fe2b6cded76d72972278b525b2a87822aa370684d28

SHA512
575ce38fdee94b98788141e7e03389d1d12899dc87edc87b918ddd9df0e3126984073fd6cf026db0e9029600555d7e34d961f7ef8f76a3d9d05cff8cd9368583

Download Submit
C:\Windows\SysWOW64\IsAgent\IsaAgent.bin

Filesize
5KB

MD5
342ca5902b994f86f896fc8bff66daf3

SHA1
a702dc75bde32a0a32468ae2888b8e2ce5892742

SHA256
fcd799b69a9272d89754a3fb37352b2613e00187b1b65c38211bd4690500cf4b

SHA512
7e1318a28d959a03910481e62195f0f626f6dd547b94a3a14601babf7146873e1fc146a2eff3a12828b23657be17bab513e13d25dec374e44e290b02daacc89c

Download Submit
C:\Windows\SysWOW64\IsAgent\IsaDriver.dll

Filesize
1.5MB

MD5
a928161b014ef7e258a51f68aa75f9f3

SHA1
56a5317044ae1e95503b7f9fcb75aa6c0a70b8c3

SHA256
cab484610f9ba36b6f72590fe163d290bd659c871234e86259173915b2c40161

SHA512
75b0d96d0c0ba5c503a5e9f29a61aad207de7b5080d5ccdd7f86b3f033cfa622a96812009cf58ddafd79e4f7a011a0072ada0bf250bbcea0a82329a38e6b3e2a

Download Submit
C:\Windows\SysWOW64\IsAgent\IsaManage.dll

Filesize
505KB

MD5
44e9f324b52c7ddc073a4dbef958a66b

SHA1
6d65d4561a3f2d2dfed012e564eb3a4d6899369f

SHA256
0f636277663e60484c50a2bcc54fed78a207c30a662538d01c4fe548af863011

SHA512
2dfd3c64fc1acbf9ee52d62090fc2300023b19cc087f802bbdced6ed6f5fa5f9a75c85e482490d14499fbaed0c80762377ebdccae05a9e1a072cbb4275400a71

Download Submit
C:\Windows\SysWOW64\IsAgent\IsaSvcProtectServer.exe

Filesize
111KB

MD5
af5acf638b07a1024223e2c311c3ff48

SHA1
77b03bf3953c8310d054e96f3234fdde47553847

SHA256
5809436cdd677cf01538bf84725e3e15584b7f88bb5a0d2cace429206b7376b9

SHA512
58c2ec5dadbfda7258d7539e4a54ab03859987893f3e7db3afe0751e8545724e44478bbf7b07b53b0a80318df21167499c7f5c43d517058f3a3c536fa18473a4

Download Submit
C:\Windows\SysWOW64\IsAgent\IsaTrayMenu.dll

Filesize
583KB

MD5
7f08c0d7f4ed3e3a66a6e29c6a570f55

SHA1
8c940b2207533ad9fed67a1e9272c7b56244b008

SHA256
b5fb472308cb3ef4506e99fba104fa7dfcc73bf7ae633bf0ed3105e6ca602acd

SHA512
f141ca746135430d6325eceb2f88c17b1d81bc9a955e02e41c530dbc3415e1881f603290410ab841e153d7f48602ae46c0935f7a5e473a53e90ec3f2cec5f6af

Download Submit
C:\Windows\SysWOW64\IsAgent\IsaWebSocketServer.dll

Filesize
705KB

MD5
d5e0f6ae79e5445ae5dad412e6700e2d

SHA1
83ca4b14a9db61f67c12e9eb25b1f6ca1faed5fc

SHA256
f44fa6e435adffaaf9fc272416fd2e9b6aa1bde543026ceaea611c69aa68a94a

SHA512
2054ec3178a10abb0f43ae9a182fd914cdc5d8d5dfccbceec1babbf1b184fcb98721a905efe806c4929c36c7488afdc36bb6b5e67363d574a1fd62ec1cafe15c

Download Submit
C:\Windows\SysWOW64\IsAgent\Setup.bat

Filesize
5KB

MD5
fff353b463e22f0834a2e9ebb310f51a

SHA1
4d85a4d7c3715a755bf30bff995cff9ebe5bd0be

SHA256
ccf0f28958019e6889fb8ad21bfd1a029b6b6d93ece38ca4d267ef03cbd83b30

SHA512
15618dcf3901dbc1f35390c26affdd690b51c8486243499dbd01d0de8c6aa48ccb8b036ef757634b13eea76c662dc098da5b81309551b3a032b8ddfca5a3fcaa

Download Submit
C:\Windows\SysWOW64\IsAgent\config.xml

Filesize
162B

MD5
802fb5b037aa9944956013df5fcab57e

SHA1
79a14faf5defb76047ed6818e233780688d3a04f

SHA256
1e4592ad1ab30e9847945c8330838e6849d46ffcda3d267736f1fe28d3ce01e1

SHA512
0d37c5841a1dd3107e3cc77e2e822f9af0946dc15aac61e9f45a0bbd6fdad2c70f75a506f568e8cdb2ac06af818b6a64b925ca1657900f2ff756114e70c3fa56

Download Submit
C:\Windows\SysWOW64\IsAgent\skin\AboutWnd.xml

Filesize
2KB

MD5
ffaaf323be805ee2eeabc4e080607a57

SHA1
cca407d759874c25cb7dfa24ff635de5e3058e48

SHA256
970391b67557eef91246afbe379f6295f1ee05d072a5354ace0edadbfc870b34

SHA512
61d25d4192702b96ab7effe99d7d03f44d69c3a15beec86c7fb5e7ff73029b3eab2c0f8b279913c191bf47bc9cc83ebb30cb5ca60d5ea8a38269420c84266476

Download Submit
C:\Windows\SysWOW64\IsAgent\skin\img\btn_close_highlight.png

Filesize
474B

MD5
704a6ff93dc2aa583be3e77dd0c91fb0

SHA1
725634b8abe754eb4117a7782c20b4ec2c6cd9cf

SHA256
a71d62d03e0ea2df3909feaa16a3c29a0174aae37be377449f33b9d987df45c4

SHA512
dd42660d36d7eaeb8cb4a8b479d9a5d50837019574266e88249ecc7c7e188280096f6540714b77692fef2b148a3ce0e2d956db5be54884100a898db479c50180

Download Submit
C:\Windows\SysWOW64\IsAgent\skin\img\false.png

Filesize
4KB

MD5
267035a043497cfb5f81c6246424d5e9

SHA1
dd03f2b6f6e8b9dd43cfcc2acc7e17101fa1dab4

SHA256
81e539fa2d1c694cd421cc76e0906bf036434595c0c5f08d0f7f9721ef11924a

SHA512
56f7e0b6a63179ebab991efb7a6f19d49c64eed3c6de72e4f954d582aaee76a84469749da2cfa2eba9497dde777028084ba70e2c6540d2ebac738005518c5a2d

Download Submit
C:\Windows\SysWOW64\IsAgent\skin\img\success.png

Filesize
3KB

MD5
5fc45bf4b5b0ce2946b2ad442f43cd7e

SHA1
e87dd88db199dd378f9a9e7ab41a2dcb567d3d16

SHA256
fcd6e67003688b26fafc4ed2003b3ba74414c28bab51953a9f7c58145e7bcd3b

SHA512
8af3928d4da6e88423fee2c6afb42ae883f870723e1d09c6a4454a78993898da9d40c19f8e20936f315fa750fa491eafb31ade40440fc0a3ea3443e634637afa

Download Submit
C:\Windows\SysWOW64\IsaAgent.bin

Filesize
2KB

MD5
c08e35dd3915850b47fab4ce7f8c4f67

SHA1
cce28d6c5e74e4d9edf70df7e9fd4741d790ed37

SHA256
8982cbaece1536a80d54f9d6f690b1ad8be9614eaecfef1d84d9040c50646774

SHA512
f064d22ef471ad1075b13e2c42637df8971442803007577ad4a7fdb47e1c435250d4e70e4ea127c91d9bf1da7c705eddc6bc689b4acc4034371e5598ec12a3f6

Download Submit
C:\Windows\SysWOW64\IsaAgent.bin

Filesize
4KB

MD5
25ae14dd2671f70e431bc0d7132aaf7b

SHA1
37e41c7a4ea1a288af6ea5e98fb153dcdeb54087

SHA256
7112afa158b3262beeda8739fe5d174c63fbcdc72883f9826e73fe1001491ee7

SHA512
451da5defb98b7903730caf387ed903138fdab0c52a43a8f4249663f980bfc45635986dc2155a3ab00ed3d11ceeb687a117d69b07cb56faa91a0608a427e717b

Download Submit
\??\c:\windows\SysWOW64\isagent\IsaAgent.bin

Filesize
1KB

MD5
a20825cef997873fbfc3b1a8d045beb8

SHA1
fb54979ec6ad4a98be7931a7006f242eb940ca20

SHA256
40c97483b13d6e3f65af72a0c04b22bef291d717a3ac3cf7f9a862780f364477

SHA512
7dc5ed62594f320420cb3cb7811bf81a6c4388338a89f47b9d7fc65ca856cf9bf62ee8228025866cc06fdea915f51c200d6b8084bc6cd4b51a11620d546c0788

Download Submit
\??\c:\windows\SysWOW64\isagent\IsaAgent.bin

Filesize
7KB

MD5
f4c358e523cb05bf3d2a5f477c623de0

SHA1
f8dee8454e07a3d2f571910a6049736922ac00d0

SHA256
607774b59a8d0c48222ca3d93485d86ae7fab0392e8533dddb219a7c32e6ce7b

SHA512
9a29048d826e7b9e688f968a7fe23ff2395e9577b123677f6a6d56b8ace669000c1f0cbaa32079cbcd4b403085869a984ea0f0390279aa5d2ba21db667631767

Download Submit
\??\c:\windows\SysWOW64\isagent\IsaAgent.bin

Filesize
7KB

MD5
0d3b2d0b6c5c3acba0ba1e13179ce547

SHA1
9ec28de82dfcbb03a4d427c285d6ff29f544c2b1

SHA256
7899d3f686a55415b7dfb5a491c23ddae18aa3dd6052c0dd564bdfe1131fdda3

SHA512
7a17274aae82735dc20b4679e49c9c030db556ffa46ae786734304335294350b214a0cccc2529d6b94b9f702e7e93b3cf0a88ca517eb924ad71b14a4a0bde85d

Download Submit
\??\c:\windows\SysWOW64\isagent\IsaAgent.bin

Filesize
7KB

MD5
4b1009cf6eb6d9319bc511438b499b33

SHA1
70b1d44f7e0130a319d69312cccaca17bd5f9d14

SHA256
f18b698a7135f2efc6e0da45de93c15c26d9e72723a9075c7de0304a86bb5110

SHA512
945915eef29455c35bf5bf921d45e54020409900accfcf29fb312f8066cee482fb753c11b89f6da9de539ff08f50575bae8889eeb22a20d7f97f914b95b45dc3

Download Submit
\??\c:\windows\SysWOW64\isagent\IsaAgent.bin

Filesize
10KB

MD5
a18f48c94da09b9e0838dfa8cd3e1db1

SHA1
48b3547171053c72823328f15194850e192b8342

SHA256
d2e10606c3e4a58e43937f9f7339e39d0ccf1d1ca8d65a8b5ce204728be91861

SHA512
26804beecd8d6e2e8e3d6fa5fd5737393aa0d4e7772fe015d1eb6a5db1665ab501cd2c0c744b0f542436eb483299caee5b025bf25a4ea0b94b096d59708b7478

Download Submit
\??\c:\windows\SysWOW64\isagent\IsaAgent.bin

Filesize
11KB

MD5
d259ebf74bca95b46bba47f8e2c485de

SHA1
773f15c42ca4eebf46fd99e6f7f753bed0666bd1

SHA256
b57f3ec0753e44c0a85347507833039dc0dafedfa7b5b31e6b121cd5ca1a6cd6

SHA512
48349f745c47f19a6b5b1ebc864f9086479499de0c55e3d0c06ea247e6a679b1e3a19316d90e3371230d4c0cb36231297fb60674cca453a9114d33cd0faa4542

Download Submit
\??\c:\windows\SysWOW64\isagent\IsaAgent.bin

Filesize
11KB

MD5
a3bb2707ac5d1e0ba1af1b4671b413b7

SHA1
c8ed473f884e10d8db19e2b799952b265887a2d9

SHA256
4b607e7aa1fc2bd556c0486ad91c9ac24bf6a7f01a697f2caed8a9b7637f162a

SHA512
3323d5cb198827a26964e77eb78bcfb96cddbff2f5e599a0ccfece8b78344a914b3fa1835a746cf6600e591f9b38055c7141e5d9452d85c3181b12c9cdb9b41f

Download Submit
\??\c:\windows\SysWOW64\isagent\IsaAgent.bin

Filesize
12KB

MD5
ab72a011d755fcd0c0c23b57d4b2953e

SHA1
7eb3e26699c91236f702ccc482ab7e68705cd561

SHA256
78633b14211a762dc84b49f459fa43eae9888bd15d97d6467aee025352ec95f8

SHA512
3d0f93df687d35b5c1900aa4cc62eb0fb8ac2694ac21949bddc8736818a2ec2126e7342e9d4520fc0fd4d68d7c0f63751d63f19de073b26e97ebab6724254167

Download Submit
\??\c:\windows\SysWOW64\isagent\IsaCtrl.dll

Filesize
337KB

MD5
1e69169d60b46202cf4069326762e1e0

SHA1
37009abaeccc4d5fe0646aac45bc849f0d788755

SHA256
e39d6ebcf652fa455a04cbbf0abc9d272fd2ef9f213f3b0a354d602a6f39f9ec

SHA512
49539b3e7ba4f8155569ab7c10672361594af9a80259e1c97526ac3b67758a4b6b253c7c62d726c3f3da54bcef85e08548186abc458bf93c48c25c8c295253ff

Download Submit
\??\c:\windows\SysWOW64\isagent\IsaHelp.exe

Filesize
95KB

MD5
ac01558ba2a2181b02999ee0fec5c2f7

SHA1
0e179e01d03b3628bc24297d32dcdf8f20f39ddc

SHA256
7fccbb402ca1d59c543bda625242924a8edaa8aeecb4d6494e464b63c1dedb60

SHA512
01f1dd46adadd74f2cbfe9fa1a913fe86ca92fc26b4a0a6c1dfa432c0cea802b8d335cd7aca4b40d9879b27456d03b229c6559367f0740ec993388d8697051c6

Download Submit
\??\c:\windows\SysWOW64\isagent\IsaTrayMenu.zip

Filesize
304KB

MD5
b9fb2afc67bb44e3067f1b493689eec7

SHA1
e352dc8e1c571bb3152d8b0a693223d6ac6d07bd

SHA256
698f12c4733bbadc23f9997a6cac5e9beeaa3d0961fdeb16dfa1cd160480157f

SHA512
a8305e581c4e928028b3599bc7727ced44439142aaa1a2ec7f5eda17a4509c2fbd4d3775e331dd0a5d6cae7fb32c8c17d5da79bfa41ae1ee1d934ecef3f84aa0

Download Submit
\??\c:\windows\SysWOW64\isagent\isasvc.dll

Filesize
119KB

MD5
40fc7d3c7ac808a4fd5a6bf3eaab804a

SHA1
84e705412f558641625b4026220d7ad9fc927964

SHA256
d74d2ba9aaad3760727f4f4ce45f20076f481f96e226d54ba91b53e39b1b413a

SHA512
70c3243535c13024669f69631eca576c13aeb136abc9029e9ce61d1abad09ab3429585faf4a89820e490c10b08c9268ce44ad20341d5568dfd35c5df12fd9e14

Download Submit
memory/456-153-0x0000000002100000-0x000000000216C000-memory.dmp

Filesize
432KB

Download
memory/996-994-0x0000000002930000-0x000000000295E000-memory.dmp

Filesize
184KB

Download
memory/996-628-0x00000000007B0000-0x00000000007D6000-memory.dmp

Filesize
152KB

Download
memory/996-794-0x0000000004DE0000-0x0000000004F65000-memory.dmp

Filesize
1.5MB

Download
memory/996-986-0x00000000028C0000-0x00000000028DD000-memory.dmp

Filesize
116KB

Download
memory/996-1000-0x0000000003A00000-0x0000000003A37000-memory.dmp

Filesize
220KB

Download
memory/1684-541-0x000000006F970000-0x000000006F9BC000-memory.dmp

Filesize
304KB

Download
memory/1684-555-0x00000000733D0000-0x0000000073B80000-memory.dmp

Filesize
7.7MB

Download
memory/1684-553-0x0000000007470000-0x0000000007484000-memory.dmp

Filesize
80KB

Download
memory/1684-552-0x0000000007440000-0x0000000007451000-memory.dmp

Filesize
68KB

Download
memory/1684-540-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/1684-539-0x0000000005A30000-0x0000000005D84000-memory.dmp

Filesize
3.3MB

Download
memory/1684-529-0x0000000002880000-0x0000000002890000-memory.dmp

Filesize
64KB

Download
memory/1684-528-0x00000000733D0000-0x0000000073B80000-memory.dmp

Filesize
7.7MB

Download
memory/1936-238-0x0000000000530000-0x0000000000556000-memory.dmp

Filesize
152KB

Download
memory/1936-502-0x00000000035C0000-0x0000000003745000-memory.dmp

Filesize
1.5MB

Download
memory/3532-175-0x0000000000650000-0x0000000000676000-memory.dmp

Filesize
152KB

Download
memory/3532-281-0x0000000001DC0000-0x0000000001F45000-memory.dmp

Filesize
1.5MB

Download
memory/3736-134-0x00000000030D0000-0x00000000030F6000-memory.dmp

Filesize
152KB

Download
memory/3736-113-0x0000000000690000-0x00000000006B6000-memory.dmp

Filesize
152KB

Download
memory/4204-274-0x0000000003140000-0x0000000003176000-memory.dmp

Filesize
216KB

Download
memory/4204-461-0x0000000006700000-0x000000000671E000-memory.dmp

Filesize
120KB

Download
memory/4204-466-0x0000000006CE0000-0x0000000006D12000-memory.dmp

Filesize
200KB

Download
memory/4204-487-0x0000000007C30000-0x0000000007C41000-memory.dmp

Filesize
68KB

Download
memory/4204-427-0x00000000060C0000-0x0000000006126000-memory.dmp

Filesize
408KB

Download
memory/4204-480-0x0000000007900000-0x00000000079A3000-memory.dmp

Filesize
652KB

Download
memory/4204-521-0x0000000007C60000-0x0000000007C6E000-memory.dmp

Filesize
56KB

Download
memory/4204-522-0x0000000007C70000-0x0000000007C84000-memory.dmp

Filesize
80KB

Download
memory/4204-523-0x0000000007D80000-0x0000000007D9A000-memory.dmp

Filesize
104KB

Download
memory/4204-524-0x0000000007CB0000-0x0000000007CB8000-memory.dmp

Filesize
32KB

Download
memory/4204-527-0x00000000733D0000-0x0000000073B80000-memory.dmp

Filesize
7.7MB

Download
memory/4204-478-0x0000000003110000-0x0000000003120000-memory.dmp

Filesize
64KB

Download
memory/4204-479-0x00000000078D0000-0x00000000078EE000-memory.dmp

Filesize
120KB

Download
memory/4204-468-0x000000006F970000-0x000000006F9BC000-memory.dmp

Filesize
304KB

Download
memory/4204-486-0x0000000007CC0000-0x0000000007D56000-memory.dmp

Filesize
600KB

Download
memory/4204-483-0x0000000008070000-0x00000000086EA000-memory.dmp

Filesize
6.5MB

Download
memory/4204-485-0x0000000007A90000-0x0000000007A9A000-memory.dmp

Filesize
40KB

Download
memory/4204-463-0x0000000006740000-0x000000000678C000-memory.dmp

Filesize
304KB

Download
memory/4204-456-0x0000000006130000-0x0000000006484000-memory.dmp

Filesize
3.3MB

Download
memory/4204-381-0x0000000006050000-0x00000000060B6000-memory.dmp

Filesize
408KB

Download
memory/4204-302-0x0000000005630000-0x0000000005652000-memory.dmp

Filesize
136KB

Download
memory/4204-484-0x0000000007A30000-0x0000000007A4A000-memory.dmp

Filesize
104KB

Download
memory/4204-467-0x000000007F780000-0x000000007F790000-memory.dmp

Filesize
64KB

Download
memory/4204-276-0x0000000003110000-0x0000000003120000-memory.dmp

Filesize
64KB

Download
memory/4204-277-0x0000000005970000-0x0000000005F98000-memory.dmp

Filesize
6.2MB

Download
memory/4204-275-0x00000000733D0000-0x0000000073B80000-memory.dmp

Filesize
7.7MB

Download
memory/5012-987-0x00000000030B0000-0x00000000030CD000-memory.dmp

Filesize
116KB

Download
memory/5012-995-0x0000000003110000-0x000000000313E000-memory.dmp

Filesize
184KB

Download
memory/5012-879-0x0000000001F00000-0x0000000002085000-memory.dmp

Filesize
1.5MB

Download
memory/5012-832-0x00000000004A0000-0x00000000004C6000-memory.dmp

Filesize
152KB

Download
memory/5012-1007-0x00000000030D0000-0x0000000003107000-memory.dmp

Filesize
220KB

Download